Businesses and governments are from January 1, 2016 are required to report serious data breaches, such as a USB stick containing personal data is lost.
If only there is a weak security that has had no effect, do not mention to be made.
The Dutch Data Protection Authority (CBP) today mapped (.pdf) when data breaches should be notified. The college emphasizes that it is always on the party concerned to make the assessment. The data leak must be reported within 72 hours after discovery.
"The expectation is that protection of personal data given a much higher priority in the development of products and services," said CBP chairman Jacob Kohnstamm in a statement.
Except for a USB stick can be a laptop or stolen, what happens more often, to a hack of data from a server. This happened for example in the Chinese toy and gadget company Vtech.
Further, CBP explains what is meant by personal data. The case of data for example provide information about someone's personal beliefs, race and political affiliation.
Including financial information, login data, data that can be used in identity fraud, and information such as a gambling addiction or relationship are included.
In addition, the College writes that other factors may play a role in the reporting of a data breach, such as the amount of leaked information.
Inform users
The guidelines CBP also requires that any interested party it does not always have to notify affected individuals. This is only the case if the data leaked to the person in question is likely to have adverse effects, for example if it is necessary to change a password.
In response to NIS emphasizes the privacy watchdog that it is always in the company or government is to determine if it should be reported. The college is the party afterwards will push to make yet reported by users.
If parties do not comply with the new guidelines can CBP, that from January 1 Personal hot Authority, impose a fine. Which can reach up to 820 000 euro.
http://nos.nl/ © Reuters
Reactie plaatsen
Reacties